Re: [chrony-dev] [PATCH v3] main: add -X to fall back if time is not adjustable

[Christian Ehrhardt <christian.ehrhardt@xxxxxxxxxxxxx>]

On Tue, Mar 13, 2018 at 11:29 AM, Miroslav Lichvar <mlichvar@xxxxxxxxxx> wrote:

On Tue, Mar 13, 2018 at 10:45:56AM +0100, Christian Ehrhardt wrote:
> In unprivileged containers even after e8096330 "sys_linux: don't keep
> CAP_SYS_TIME with -x option" default installations
> will still run without an explicit -x being set and therefore fail by
> missing CAP_SYS_TIME.
>
> In some use cases users want the NTP server service to "just work" which
> in a non-CAP_SYS_TIME environment means that chrony has to fall back.

As I said in the previous mail, they can use -x to have an NTP server
that always "works". We seem to agree that neither -x or -X should be
a default. In what configuration it would be useful to enable -X but
not -x?

The important part is the lack of knowledge of the target systems capabilities.

They are:

- not detectable by some install paths, for example

  - install in VM with behavior A onto phys disk but reboot host into said disk

  - installing on a remote disk mounted chroot, which might be totally different when this runs.

  - ...

- Several tools/configs might add/remove capabilities from a system later on in the lifecycle

- Some move machines between places with different capabilities

- ...

The TL;DR of the "motivation" is: the inability to decide if using "-x" is right or not (at any time).

With just "-x" available this leads to one of the following:

A) So if one sets "-x" it will NEVER sync the clock even if the system would be capable to do so.

B) if one does not set "-x" it will fail to start (even the server portion of chronyd) in some environments

The addition of the new "-X" provides a new case

C) set -X which will sync the clock if it runs (currently) in an environment able to do so

BTW - in case it might be better to discuss interactive - I'm "cpaelzer" on freednode IRC.

If there is a common place chrony matters are usually discussed (other than the ML) that would be nice to know - I haven't found a hint about it on the web page.

I appreciate the effort you put into the patch, but without a use case
it seems to me like an unnecessary complication of the code and
another trap for the user to fall in.

> By that a user will get an NTP server working independent to the
> environment, that will control the local time if it is able to do so.
>
> This is not set as default as the fallback is considered a loss of time
> control that users should opt-in, but the new config allows an admin and
> setup tools to opt into -x like behavior without loosing the feature to
> control time when running in an environment that is able to do so.

They either need the clock to be controlled by chronyd or they don't.
If they don't, I think they can always use -x.

I have some comments about the patch, but I think we should make this
clear first.

--
Miroslav Lichvar

--
To unsubscribe email chrony-dev-request@chrony.tuxfamily.org with "unsubscribe" in the subject.
For help email chrony-dev-request@chrony.tuxfamily.org with "help" in the subject.
Trouble?  Email listmaster@xxxxxxxxxxxxxxxx.org.

--

Christian Ehrhardt

Software Engineer, Ubuntu Server

Canonical Ltd